Compared to Windows systems, Apple has maintained security superiority for many, many years. However, the latest proof-of-concept malware delivery method could put a stop to that.

Nicknamed “Thunderstrike”, this malware is impossible to to remove by conventional methods unless you have access to specialized hardware. Trammel Hudson, a security researcher has used to device's Option ROM in order to demonstrate the usage of a Thunderbolt peripheral which loaded what he refers to as a “bootkit”.

Developed in 1980s, Option ROM are optional, peripheral specific, designed as an alternate method of storing critical programs or retrieving peripheral specific blocks of memory. Initialized early in the boot process, they usually cling themselves to the BIOS in order to provide a bootable device or network boot. Devices running on Thunderbolt come equipped with their own Option ROM, something which all Apple verify, this process is part of the hardware’s own boot sequence.

What Thunderstrike does is that it injects itself from the infected Option ROM of the Thunderbolt device straight into the system’s extensible firmware interface or EH. According to the EFI/UEFI documentation, the firmware should be locked by default, which would make this malicious action impossible.

Based on Hudson’s research and testing, things are not what they appear to be. Hudson has pointed out that the Option ROM kicks in during the recovery mode boot process. During this stage, Apple continues to check the EFI signature itself. If you change either the file size or its content, it will fail the check, or at least it should have if Hudson’s research team had not come up with a method to replace Apple’s stored public RSA key with one under their complete control.

By now, the end user cannot update the device’s firmware with a standard Apple image without the proper RSA key. Any attempt will not pass the authentication. Having this basic level of access to the system, it would be very easy for an attacker to monitor the entire system, log keystrokes, record password data or track websites. If other Thunderbolt devices are connected to a compromised machine, then the bootkit could be easily passed on to them.

Could ‘evil maid’ attacks be considered valid vectors?

The only ray of sunshine is that this kind of attack requires physical access to the system, even for the briefest of moments. Usually, this is only a theoretical exercise but, Thunderstrike is different. The first thing is that this attack works fast. The only thing the attacker needs to do is simply plug in the Thunderbolt device , hold the power button for a few seconds and it is done. After this, Thunderstrike will self-install and self-execute in mere minutes. The ordinary observer will only see that the booting cycle takes a bit longer.

The idea behind this ‘evil maid’ attack relies on the concept of someone having access to the system as it is locked in a hotel room or safe. This is possible to do even at conferences, when people leave their laptops unattended to use the bathroom.

Most disturbing thing is one of Edward Snowden’s leak reports. It gives out details of how the NSA intercepts Dell or HP hardware en route in order to rootkit them, then repackage them as nothing happened. Though we are certain such tactics happen, it is safe to assume that exploits such as Thunderstrike might be as valuable as gold to the world’s national intelligence agencies.

Apple’s response to this is a patch which will deny Option ROM to load during firmware updates. It is unknown when a true and complete solution will be discovered.